**1.2 Thirteen principles of the BCBS internal control framework**


of control structures and activities, ineffective share and flow of internal information and ineffective internal audit and monitoring activities [1].

*Banking and Finance*

rate governance systems partially or significantly account for the 2007 global financial crisis [2, 3]. The crisis led to high rates of non-performing loans which affected several economies in the US and Europe. In a briefing to the European Parliament, the authors lament the rate of non-performing loans leading to credit risk among EU countries during and after the global financial crisis [4]. Prior research identifies factors such as low profitability, bank size and high concentration of banks in lending as key determinants of credit risk in the banking industry [5]. This study explores qualitative self-regulation approach using the BCBS internal control framework to investigate how internal controls affect credit risk in European banking. This chapter extends prior research about the banking industry in Spain where the authors find significant relation between the elements of internal controls using the COSO framework [6]. The study differs from existing ones in several ways. Whilst previous study focuses on a single country, the current chapter covers several countries within the EU thus making it broader and wider. The work of Akwaa-Sekyi and Moreno [6] uses single variables to measure the elements of internal controls but the current study uses several variables which cover the principles of internal controls. Unlike the previous study which uses the COSO framework, this chapter uses bank-related framework suggested by the BCBS. To the best of our knowledge, this is the first chapter to use the BCBS internal control framework to study its relationship with credit risk within the European banking.

Some researchers argue that poor risk management practices and weak corpo-

This chapter derives motivations from three sources. The first motivation for this study comes from Cho and Chung [7]. They find that banks with weak internal control weakness report high provision for loan losses and loan loss reserves which exacerbates credit risk. Anytime banks intensify efforts to strengthen internal control weaknesses, there were reductions in provisions and loan loss reserves [7]. Based on their findings, we propose the use of the BCBS internal control framework to minimize bank credit risk. Second, prior research by Uhde et al. [8] motivates this chapter. In reviewing existing literature Uhde et al. [8] underscore the relevance of a framework that combines board structure and composition to ensure effective board monitoring. We concur with this integrated framework approach and therefore propose the joint effect of board functions and activities, board structure and board monitoring to minimize bank credit risk. Finally, the work of Karkowska and Acedański [9] motivates this chapter. The authors conclude that there is no much change in the corporate governance and bank stability nexus after the financial crisis and therefore suggest the need to strengthen corporate governance practices. This implies there is still room for banks to improve upon their corporate governance practices to deepen and sustain investor confidence in the banking system. For this reason, we suggest an internal control framework that is quite exhaustive in addressing the menace of investor losses such as credit risk. Failures to detect breakdowns in internal controls lead to massive fraud which puts shareholder investment in jeopardy and lack of confidence in the banking sector. The chapter seeks to fill these research gaps by analyzing how internal governance

of the BCBS framework of internal controls affects credit risk.

**18**

The contributions of this chapter are not far-fetched. First, this chapter extends the literature on the relationship between board functions and activities and bank credit risk. The findings suggest that effective board functions and activities minimize bank credit risk. Second, this study proffers evidence to support the agency and institutional theories to monitor managerial behavior likely to result in investment losses through credit risk. The result complements existing research that independent board structure minimizes credit risk. Another contribution of this

• Ensure segregation of duties and elimination of potential conflict of interest in the conduct of business

Risk recognition and assessment involves the determination, identification and

The BCBS framework emphasizes the use of relevant information and communication to internal (functional areas and employees) and external users (stakeholders) through various reports (Abbas and Iqbal [21]). Banks earn reputational capital by providing reliable timely information to internal and external stakeholders [22]. Information flow, information sharing and representation on various committees within banks improves upon the risk culture [18] and transparency. Board meetings and committee functions helps information production. The control activities comprise selecting and developing control activities in general and over technology and deploying policies and procedures. It concerns taking precautionary measures and determining acceptable risk tolerance levels through policies, checks, and balances [21]. Bank control activities were found to significantly minimize credit risk [6]. Monitoring is about conducting on-going and/or separate evaluations and evaluating and communicating deficiencies [23]. The use of internal and external audit units, enforcement of internal control policies and adherence to regulatory measures improve bank monitoring. The agency problem can be linked to major banking activities which increases the probability risk exposure. Bank complexity and opacity (especially in the credit creation function) have the tendency to exacerbate the agency problem [24]. Bank managers in their effort to originate, fund, service and monitor credit supply may engage in certain actions or inactions that will impair the loan portfolio leading to the loss of assets. It is to avert such occurrences that effective internal control systems that minimizes such losses

Credit risk is crucial for bank management because of its relationship with other risks such as operational, market, and liquidity risks. Players in the financial services industry especially large-sized institutions use unproven and untested credit risk models and this could be cited as one of the causes of the 2007 financial crisis [3]. A publication on the role of credit risk in bank management and corporate governance, Lang and Jagtiani [3] argue that over-reliance on advanced quantitative credit risk models did not prove successful during the mortgage crisis. Thus, a multi-approach that adopts qualitative approaches to complement prudential quantitative models will enhance bank risk management. The chapter proposes this multi-approach by employing the BCBS framework for internal controls to address

bank credit risk. Credit risk is a destination point for loan default and nonperforming loans. Series of loan defaults transform into non-performing portfolio before it gets to the stage of credit risk. **Figure 1** shows the credit risk trajectory. In this trajectory (**Figure 1**), unpaid loans transform into default, then prolonged default graduates into non-performing loans which leads to credit risk and eventually the effect on related market participants could lead to financial crisis. The final destination of this trajectory is financial crisis, which affects the wider industry players because of the interconnectedness of the banking model. In the event of increasing default, there is increase in portfolio credit risk [25]. Bank

evaluation of risks or unfavorable events likely to impede the achievement of organizational objectives. Under risk management, companies should specify suitable objectives, identify and analyze risks, assess fraud risk and identify and analyze significant change. The expertise and experience of management and board members and their ability to identify, measure, monitor and evaluate risks goes a long way to reduce the consequences of bank risks. These functions means ensuring acceptable rates of risk weighted asset density [20], diversification and enforce-

*Internal Controls and Credit Risk in European Banking: The Basel Committee on Banking…*

ment of internal controls to address operational risks.

*DOI: http://dx.doi.org/10.5772/intechopen.92889*

should be in place and effectively enforced.

**1.3 Credit risk**

**21**


The reasons behind the enforcement of these principles are to ensure that internal control systems achieve performance, information and compliance objectives [1]. The Basel framework is a risk-based approach which grants some independence to banks to manage their own risks and to ensure safe and sound bank practices through effective balancing of supervisory and principle-based regulatory approaches [13]. Well-functioning internal controls serve as bedrock for capital adequacy under prudential risk management regulation.

To ensure sound governance and protection shareholder and other stakeholder interests, board of directors exercise oversight responsibilities over senior management. Board of directors owe it a duty to ensure a culture of control, adherence to principles and statutes exist to put management in check. This function has been given alternative names such as "tone at the top" by researchers. The International Federation of Accountants [14] emphasizes the tone at the top and culture and ethical framework as vital to the implementation of internal controls. The federation attributes serious accounting scandals to a situation of poor tone on the part of top management. Hansen et al. [15] and Hermanson et al. [16] report that the tone at the top should be assessed and reported periodically to ensure that management and upper management continuously conform to systems put in place. They admit the importance of the tone at the top and culture of control as very key to ensuring effective internal controls among public and non-public organizations. The board must be seen to be doing more than just enough to ensure good tone and corporate culture that minimizes risk [17]. Financial organizations must pursue a risk culture that seeks to improve oversight structures and risk metrics and good compliance [18]. Effective implementation of board policies sustains and fuels management oversight and control culture. Schwartz [19] identifies board policies among other dimensions of effective corporate culture. Management oversight and control culture covers the roles and responsibilities of board of directors, executive management and the maintenance of high honesty and ethical culture.

#### *Internal Controls and Credit Risk in European Banking: The Basel Committee on Banking… DOI: http://dx.doi.org/10.5772/intechopen.92889*

Risk recognition and assessment involves the determination, identification and evaluation of risks or unfavorable events likely to impede the achievement of organizational objectives. Under risk management, companies should specify suitable objectives, identify and analyze risks, assess fraud risk and identify and analyze significant change. The expertise and experience of management and board members and their ability to identify, measure, monitor and evaluate risks goes a long way to reduce the consequences of bank risks. These functions means ensuring acceptable rates of risk weighted asset density [20], diversification and enforcement of internal controls to address operational risks.

The BCBS framework emphasizes the use of relevant information and communication to internal (functional areas and employees) and external users (stakeholders) through various reports (Abbas and Iqbal [21]). Banks earn reputational capital by providing reliable timely information to internal and external stakeholders [22]. Information flow, information sharing and representation on various committees within banks improves upon the risk culture [18] and transparency. Board meetings and committee functions helps information production. The control activities comprise selecting and developing control activities in general and over technology and deploying policies and procedures. It concerns taking precautionary measures and determining acceptable risk tolerance levels through policies, checks, and balances [21]. Bank control activities were found to significantly minimize credit risk [6]. Monitoring is about conducting on-going and/or separate evaluations and evaluating and communicating deficiencies [23]. The use of internal and external audit units, enforcement of internal control policies and adherence to regulatory measures improve bank monitoring. The agency problem can be linked to major banking activities which increases the probability risk exposure. Bank complexity and opacity (especially in the credit creation function) have the tendency to exacerbate the agency problem [24]. Bank managers in their effort to originate, fund, service and monitor credit supply may engage in certain actions or inactions that will impair the loan portfolio leading to the loss of assets. It is to avert such occurrences that effective internal control systems that minimizes such losses should be in place and effectively enforced.

#### **1.3 Credit risk**

• Ensure segregation of duties and elimination of potential conflict of interest in

• Detailed and comprehensive internal financial, operational and compliance data, external market information (events and conditions) which is reliable,

timely and easily accessible in a consistent and user-friendly format

supported by adequate contingency arrangements

adequacy under prudential risk management regulation.

• Reliable and secured information systems independently monitored and

• Periodic ongoing and daily monitoring of key risks by internal audit and

• Independent and competent internal audit ensuring adherence to internal control systems and reporting to senior management and board of directors

• Supervisors should ensure that all banks irrespective of size have effective internal controls that are consistent with the complexity and risks of business

• Reporting material internal control weakness to senior management and board

The reasons behind the enforcement of these principles are to ensure that internal control systems achieve performance, information and compliance objectives [1]. The Basel framework is a risk-based approach which grants some independence to banks to manage their own risks and to ensure safe and sound bank practices through effective balancing of supervisory and principle-based regulatory approaches [13]. Well-functioning internal controls serve as bedrock for capital

To ensure sound governance and protection shareholder and other stakeholder

interests, board of directors exercise oversight responsibilities over senior management. Board of directors owe it a duty to ensure a culture of control, adherence to principles and statutes exist to put management in check. This function has been given alternative names such as "tone at the top" by researchers. The International Federation of Accountants [14] emphasizes the tone at the top and culture and ethical framework as vital to the implementation of internal controls. The federation attributes serious accounting scandals to a situation of poor tone on the part of top management. Hansen et al. [15] and Hermanson et al. [16] report that the tone at the top should be assessed and reported periodically to ensure that management and upper management continuously conform to systems put in place. They admit the importance of the tone at the top and culture of control as very key to ensuring effective internal controls among public and non-public organizations. The board must be seen to be doing more than just enough to ensure good tone and corporate culture that minimizes risk [17]. Financial organizations must pursue a risk culture that seeks to improve oversight structures and risk metrics and good compliance [18]. Effective implementation of board policies sustains and fuels management oversight and control culture. Schwartz [19] identifies board policies among other dimensions of effective corporate culture. Management oversight and control culture covers the roles and responsibilities of board of directors, executive management and the maintenance of high honesty and

• Effective flow and share of information across personnel in functional areas

the conduct of business

*Banking and Finance*

and departments and units

business lines

ethical culture.

**20**

Credit risk is crucial for bank management because of its relationship with other risks such as operational, market, and liquidity risks. Players in the financial services industry especially large-sized institutions use unproven and untested credit risk models and this could be cited as one of the causes of the 2007 financial crisis [3]. A publication on the role of credit risk in bank management and corporate governance, Lang and Jagtiani [3] argue that over-reliance on advanced quantitative credit risk models did not prove successful during the mortgage crisis. Thus, a multi-approach that adopts qualitative approaches to complement prudential quantitative models will enhance bank risk management. The chapter proposes this multi-approach by employing the BCBS framework for internal controls to address bank credit risk. Credit risk is a destination point for loan default and nonperforming loans. Series of loan defaults transform into non-performing portfolio before it gets to the stage of credit risk. **Figure 1** shows the credit risk trajectory.

In this trajectory (**Figure 1**), unpaid loans transform into default, then prolonged default graduates into non-performing loans which leads to credit risk and eventually the effect on related market participants could lead to financial crisis. The final destination of this trajectory is financial crisis, which affects the wider industry players because of the interconnectedness of the banking model. In the event of increasing default, there is increase in portfolio credit risk [25]. Bank

structure in terms of unitary and dual boards and CEO duality and report no significant relation with bank fragility. Studying the UK financial sector, Akbar et al. [10] use board size, board independence and combined role of CEO and board chair as variables for board structure. The results from the UK study show that there is little evidence of CEO duality. The regression results confirm low risk taking behavior. Other authors use board size, board independence and board member affiliations as proxy for board structure [9]. The authors report that independent board structure reduces bank risks. The inconclusiveness in the findings stimulates further investigation into board structure. The structure of board of directors should ensure minimizing the agency problem through segregation of duties (as enshrined in the BCBS internal control framework). The structure, composition and characteristics of board of directors could be relevant in their oversight and control functions [31]. Board characteristics such as board composition, independence, size, and gender diversity are efficient in monitoring and control of management [32]. The authors explain that these board characteristics motivate board members in the quest to control and maintain a risk culture and sound bank management to the satisfaction of stakeholders. The current study measures board structure by nonexecutive board members, board diversity, and board chair being ex-CEO. We expect that boards with non-executive members, few cases of board chair being ex-CEO and boards with adequate female representation can demonstrate higher

*Internal Controls and Credit Risk in European Banking: The Basel Committee on Banking…*

degree of independence. This leads to the hypothesis that:

*independence increase credit risk.*

**23**

**2.3 Board monitoring and control**

*DOI: http://dx.doi.org/10.5772/intechopen.92889*

*H2: Independent board structure reduces credit risk whilst boards with weak*

Board monitoring has undergone several evolutions in corporate governance research [33]. The authors emphasize the role of the internal audit in responding to the agency problem through effective monitoring. The agency theory provides strong theoretical foundation to internal control research. The theory (traceable to the late 20th century and attributable to Jensen and Meckling) provides an underlying explanation of internal controls with the assumption that institutional behavior emanates from individual pursuit of self-interest and that there should be separation of ownership from control in order to minimize possible conflict of interest between the agent and the principal. The theory emphasizes separation of ownership from control, protection of minority interests, reducing conflict of interest and minimization of information asymmetry [34]. Jensen and Meckling [34] explain that the firm is a nexus of contracts among individual factors of production with conflicting objectives. Thus the best way of unifying these conflicts of interest is the use of contracts that minimizes the agency costs and enhances performance to maximize the value of the firm. A managerial tool put in place to check management and employee misbehavior through auditing, budgeting, compensation and other forms of control have proven successful in minimizing the agency costs [33, 35, 36]. Some high level of transparency and reporting is mandatory in order to effectively deal with information asymmetry. Internal control frameworks through the internal audit unit ensure the reporting and compliance objectives. Board audit committees reinforce the monitoring functions by ensuring compliance and adherence to internal controls [37]. Upadhyay et al. [37] conclude that board monitoring committees mitigate costs. We measure board monitoring by audit committee independence. Firms prefer using control-based approaches through audit committees with emphasis on high risk areas [38]. We propose the use of risk assessment and control by ensuring appropriate risk-weighted assets to total assets ratio to check possible insolvency. The use of risk weighted density

**Figure 1.** *The credit risk trajectory. Source: Author's construct.*

credit risk management strategies should therefore be comprehensive to address issues of default and prevent increasing non-performing loans. Most literature on credit risk uses ratios such as non-performing loans to total loans, provision for loan losses and loan loss reserves [5, 6, 26] to measure credit risk.
